qpid-proton mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clemens Vasters <cleme...@microsoft.com>
Subject AW: AW: SASL negotiation w/ EXTERNAL
Date Wed, 16 Sep 2015 16:34:32 GMT
Sorry about the late reply; I'm traveling. 

The current behavior of Service Bus of offering up EXTERNAL in spite of not having gotten
and verified a client credential at the TLS level not correct, and we've identified that as
a bug on our side in the process of digging through this.

Would the acceptable fix have to plumb the new API through all bindings?

-----Urspr√ľngliche Nachricht-----
Von: Andrew Stitcher [mailto:astitcher@redhat.com] 
Gesendet: Freitag, 11. September 2015 18:12
An: proton@qpid.apache.org
Betreff: Re: AW: SASL negotiation w/ EXTERNAL

On Wed, 2015-09-09 at 17:03 +0000, Clemens Vasters wrote:
> ...
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.o
> asis-open.org%2fcommittees%2fdocument.php%3fdocument_id%3d50506%26&dat
> a=01%7c01%7cclemensv%40microsoft.com%7c06d400131a5945f544bb08d2bac3ca0
> 2%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=AGNP6Xe0lSYS1oUOrXEao55
> 1nsqmeP98BZpQpf0ggq8%3d
> wg_abbrev=amqp

I looked at this and I agree it does seem quite powerful.

IUC you need an authenticated AMQP connection of some sort (ANON would
work) to send the claims though.

So I still don't understand why the server would be offering EXTERNAL seeing as it already
knows that the client certificate isn't good enough to authenticate the connection.

[Not a objection to adding the new messenger API, it just seems like the service bus behaviour
is wrong to me]

Andrew

Mime
View raw message